AI browser extensions
Is the ChatGPT Chrome extension safe?
There's no single "ChatGPT Chrome extension". OpenAI ships the Atlas browser and a modest search extension; most "ChatGPT sidebar" extensions are third-party, and several with 900k+ installs were caught stealing chats. Here's how to tell them apart and stay safe.
- Official from OpenAI
- Atlas browser + "ChatGPT search" extension
- The trap
- Most "ChatGPT sidebar" extensions are third-party
- Documented theft
- 900k+ installs caught exfiltrating chats (OX Security)
Is there an official ChatGPT Chrome extension, and is it safe?
There isn't one single "ChatGPT Chrome extension", and that's exactly where the risk starts. OpenAI ships two official things: Atlas, a standalone Chromium browser with ChatGPT built in (launched October 2025), and a modest "ChatGPT search" Chrome extension that just makes ChatGPT your default search. The search extension is low risk. Atlas is a full browser with an agent mode that can act inside your logged-in sessions.
Almost every other "ChatGPT", "ChatGPT sidebar" or "AI assistant" extension in the Web Store is third-party, not OpenAI. Several have been caught red-handed: OX Security found two extensions impersonating a legitimate AI sidebar, with roughly 900,000 combined downloads, quietly shipping users' ChatGPT and DeepSeek conversations plus every tab's URL to a server every 30 minutes. LayerX documented a wider campaign of around 30 fake ChatGPT, Gemini and Claude extensions with 260,000+ installs stealing credentials and email content.
So the honest answer: OpenAI's own products are legitimate, but the field around them is full of dangerous lookalikes, and even Atlas has documented injection issues. The safe move is to install only OpenAI's official listings, treat any third-party "ChatGPT" extension as guilty until scanned, and check what's already in your browser.
What it can access
- The official "ChatGPT search" extension: sets your default search - modest access
- Atlas agent mode: navigates, fills forms and transacts inside your authenticated sessions
- Third-party "sidebar" extensions: typically request read-and-change access to every site you visit
- Your AI conversations: the prime target - fake extensions have shipped ChatGPT and DeepSeek chats to remote servers
What to watch for
- Lookalikes: OX Security found two fake AI-sidebar extensions (~900k downloads) exfiltrating chats and tab URLs to a C2 every 30 minutes
- The AiFrame campaign (LayerX): ~30 fake ChatGPT/Gemini/Claude extensions, 260k+ installs, stealing credentials and Gmail content via injected iframes
- Omnibox injection in Atlas (NeuralTrust): a string that looks like a URL can smuggle instructions the browser treats as trusted user intent
- "Tainted Memories" (LayerX): claimed persistent injection into ChatGPT's cross-device memory - OpenAI disputes this applies to Atlas
What ChatGPT in Chrome (Atlas + extensions) can access, permission by permission
How to use ChatGPT in Chrome without getting burned
The single biggest win here is not installing the wrong thing. Then bound what the real thing can do.
- 1
Check the publisher, not the name
In the Web Store, confirm the developer is genuinely OpenAI. A polished icon and "ChatGPT" in the title mean nothing - the 900k-download data-stealers looked completely legitimate.
- 2
Prefer OpenAI's own products
If you want ChatGPT in the browser, use OpenAI's Atlas or the official "ChatGPT search" extension. Skip third-party "all-in-one AI sidebar" extensions unless you've scanned them and trust the developer.
- 3
Scan any sidebar extension before trusting it
Paste its ID into a behavioural scan to see whether it reads pages it has no reason to touch or ships data to unknown endpoints. Permissions alone won't reveal a 30-minute exfiltration beacon.
- 4
Bound Atlas's agent mode
Use logged-out mode or per-action confirmation for anything sensitive, and don't let the agent run free across banking, email and admin tabs.
- 5
Sweep your whole fleet
If staff have been installing "ChatGPT" extensions, inventory every one across the org and remove the impostors before they harvest another month of chats.
The evidence behind this
“Prompt injection remains a frontier, unsolved security problem.”
OpenAI CISO Dane Stuckey, on Atlas
OpenAI's own security lead, at the Atlas launch. The vendor closest to the product won't call this solved.
“Two extensions impersonating a legitimate AI sidebar, ~900,000 downloads between them, quietly shipped users' ChatGPT and DeepSeek conversations to a server every 30 minutes.”
OX Security
The reason to check the publisher, not the name, before installing any "ChatGPT" extension.
“Extensions that look Featured and Verified have uploaded users' ChatGPT and Claude conversations. Reputation signals can't see runtime exfiltration.”
The AI Chat Scraping Wall of Shame
Our own research on extensions built to harvest AI chats.
Frequently asked questions
Is there an official ChatGPT extension for Chrome?
Yes, but it's narrow. OpenAI publishes a "ChatGPT search" extension that makes ChatGPT your default search engine, and it's low risk. OpenAI's bigger browser play is Atlas, a standalone Chromium browser with ChatGPT built in, not a Chrome extension. There is no official OpenAI "ChatGPT sidebar" extension, so treat anything marketed that way as third-party.
Are ChatGPT sidebar extensions safe?
Many are not. Security researchers have repeatedly caught extensions branded as ChatGPT (and Claude, Gemini and DeepSeek) sidebars stealing data. OX Security found two with about 900,000 combined downloads exfiltrating conversations and tab URLs every 30 minutes; LayerX documented roughly 30 more with 260,000+ installs stealing credentials and Gmail content. Some legitimate sidebar extensions exist, but the category is heavily abused, so scan before you trust.
Can the ChatGPT Atlas browser be tricked by a web page?
It has been, in research. NeuralTrust showed an "omnibox" injection where a string that looks like a URL is treated as trusted user intent and its embedded instructions get run. Researchers also demonstrated clipboard-based injection. OpenAI's own CISO has called prompt injection a frontier, unsolved security problem and says it's unlikely to ever be fully solved, which is why Atlas ships logged-out and watch modes for sensitive actions.
What about the "Tainted Memories" ChatGPT vulnerability?
LayerX reported a technique to inject persistent malicious instructions into ChatGPT's cross-device memory via a cross-site request. OpenAI publicly disputed that it applies to the Atlas browser, and LayerX stood by its research. We flag it so you know both positions: whichever way it lands, it underlines that AI memory and agentic actions widen the blast radius of any injection.
See what every extension in your browser can actually access.
Free scan of your Google Workspace in under 48 hours.